remove user sessions if the password has changed (#5373)

redaxo · Oct 16, 2022 · 84a2dd8 · 84a2dd8
1 parent 2521df4
commit 84a2dd8
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/redaxo/src/addons/users/pages/users.php b/redaxo/src/addons/users/pages/users.php
@@ -174,6 +174,10 @@
         'password' => $userpsw,
     ], true));
 
+    if (null !== $passwordHash) {
+        rex_user_session::getInstance()->removeSessionsExceptCurrent($userId);
+    }
+
     if ('' != $fUNCUPDATE) {
         $userId = 0;
         $fUNCUPDATE = '';

diff --git a/redaxo/src/core/lib/login/backend_login.php b/redaxo/src/core/lib/login/backend_login.php
@@ -197,6 +197,9 @@ public function changedPassword(
 
         if (null !== $passwordHash) {
             parent::changedPassword($passwordHash);
+            if (null !== $user = $this->getUser()) {
+                rex_user_session::getInstance()->removeSessionsExceptCurrent($user->getId());
+            }
         }
     }
 

diff --git a/redaxo/src/core/lib/login/user_session.php b/redaxo/src/core/lib/login/user_session.php
@@ -84,4 +84,17 @@ public function removeSession(string $sessionId, int $userId): bool
 
         return $sql->getRows() > 0;
     }
+
+    public function removeSessionsExceptCurrent(int $userId): void
+    {
+        $sessionId = session_id();
+        if (false === $sessionId || '' === $sessionId) {
+            return;
+        }
+
+        rex_sql::factory()
+            ->setTable(rex::getTable('user_session'))
+            ->setWhere('session_id != ? and user_id = ?', [$sessionId, $userId])
+            ->delete();
+    }
 }